Dan Walsh's Blog

Got SELinux?

A place people sometimes trip with SELinux is the labeling of files. SELinux requires files to be labeled correctly in order to function. Discretionary Access Control has the same requirement in that file must have the correct permissions and ownership. If a file does not have the correct permissions it can not be read, written or executed. Similarly if a file is not labeled correctly SELinux will prevent read/write/execute as well as many other permissions and transitions.

xen and qemu virtuallization has this problem alot. SELinux requires that images used by xen be labeled xen_image_t, and images used by qemu/libvirt be labeled virt_image_t. virt_manager currently does not do this by default and it creates the images in the current directory by default, which I hope they change. However there are directories where the image files will automatically get the correct label.

If you don't have a /xen directory, you need to create it and then reset the labeling.# mkdir /xen# restorecon /xen

For qemu/libvirt we have the labeling

/var/lib/libvirt/images(/.*)? system_u:object_r:virt_image_t:s0

If you were to store the xen images somewhere else, you would need to set up the labeling to that place. SELinux uses regular expressions to map files to file context so at the end of the directory specification you need to add (/.*)? which tells SELinux to label everything labeled in the directory and its subdirectories xen_image_t.

Note: If you are creating a whole new directory structure, you make need to label the entire directory tree xen_image_t. SELinux requires that a confined domain be able to list all directories in the path of the image. New directories created in / get either labeled default_t or root_t, default_t directories are not usually allowed to be searched. If you create the image in a directory tree that xen or virt are not allowed to list, you might need to build some custom policy.